No, you don't need a shell for nul bytes to be a security problem. Lots of C APIs won't handle nul bytes. For example: open( X, "> test\0me.txt" ) will succeed and will create a file called simply "test".

And if you want to send something to a shell, you need to decide what characters to allow, rather than what characters to not allow. /(\w[-\w.]*)/ is a good, generic starting point.